Hi, On Tue, Aug 25, 2015 at 1:19 PM, Kevin Lin <k...@sourcefire.com> wrote: > It's not necessary to whitelist the heuristic. If you choose to, you can > whitelist the domain which can be done using a .wdb signature. There is > documentation on how to write an entry in the phishsigs_howto.pdf document.
I think I managed to get it working. Much easier than I expected. Given this debug output: LibClamAV debug: Looking up hash 56C3...E7C44D36F0FB9028E16FE for urldefense. proofpoint.com/(26)v2/url?u=http-3A__www.bankofamerica.com_emaildisclaimer&d=AwMFAg&c=ewHkv9vLloTwhsKn5d4bTdoqsmB .... Then there's this: LibClamAV debug: Phishing: looking up in whitelist: https://urldefense.proofpoint.com:http://www.bankofamerica.com; host-only:0 LibClamAV debug: Looking up in regex_list: https://urldefense.proofpoint.com:http://www.bankofamerica.com/ I've created a wdb rule that looks like this: X:.+proofpoint\.com:.+bankofamerica\.com:17- That appears to have solved the problem. I suppose I could be more specific with my regex, but I think it's okay for now. Thanks, Alex > > -Kevin > > On Tue, Aug 25, 2015 at 1:11 PM, Charles Swiger <cswi...@mac.com> wrote: > >> On Aug 25, 2015, at 9:41 AM, Alex <mysqlstud...@gmail.com> wrote: >> > Thanks very much. I've submitted an fp, but it appears to be the result >> of this: >> > >> > LibClamAV debug: Looking up hash >> > 5E5978396FC0F81B1032CDA256B95D0D65EA0605DBE0643E89231C049A337640 for >> > urldefense. >> > proofpoint.com/ <http://proofpoint.com/ >> >(26)v2/url?u=http-3A__www.bankofamerica.com_emaildisclaimer&d=AwMFAg&c=ewHkv9vLloTwhsKn5d4bTdoqsmB >> > >> fyfooQX5O7EQLv5TtBZ1CwcvjU063xndfqI8U&r=2aYd0Z__pii05laLdA-SVeMDDGgKztEldmYeWZkrEInUKhhOQFnXGHbtYgd15gmS&m=1gyane >> > >> 8UIsmcsdK0OgwckCpz8Guf1pgeNHHmOLXQn5Y&s=XYG3vPf_ZUZQe7myUa6pQ8SUpYmn9GNeGK33YzupujA&e=(293) >> > LibClamAV debug: Phishcheck:URL after cleanup: >> > https://urldefense.proofpoint.com- <https://urldefense.proofpoint.com-/ >> >>http://www.bankofamerica.com <http://www.bankofamerica.com/> >> > LibClamAV debug: Phishing: looking up in whitelist: >> > https://urldefense.proofpoint.com:http://www.bankofamerica.co >> <https://urldefense.proofpoint.com:http://www.bankofamerica.co> >> > m; host-only:0 >> > LibClamAV debug: Phishing: looking up in whitelist: >> > .urldefense.proofpoint.com <http://urldefense.proofpoint.com/>:. >> www.bankofamerica.com <http://www.bankofamerica.com/>; host-only:1 >> > LibClamAV debug: Looking up in regex_list: >> > urldefense.proofpoint.com:www.bankofamerica.com/ >> > LibClamAV debug: Lookup result: not in regex list >> > LibClamAV debug: Phishcheck: Phishing scan result: URLs are way too >> different >> > LibClamAV debug: found Possibly Unwanted: >> > Heuristics.Phishing.Email.SpoofedDomain >> > >> > Looks like the proofpoint "secure URL" product has mangled the URL so >> > badly that clamav can't decipher it? >> >> Actually, ClamAV recognized and decoded the URL spoofing just fine. >> So they should be able to whitelist it without any special trouble. >> >> > In any case, how would I go about whitelisting either the sender >> > and/or the email the next time this happens, so I don't have to wait >> > for the sig team to perform an update? >> >> If Bank of America was my bank, I'd contact them and ask them to send >> their own emails from their own domain rather than sending emails >> which rather precisely resemble email spoofing attempts. >> >> If they declined, I'd find myself another bank who cared enough about email >> and online security that they weren't outsourcing it to proofpoint.com < >> http://proofpoint.com/>. >> >> Regards, >> -- >> -Chuck >> >> _______________________________________________ >> Help us build a comprehensive ClamAV guide: >> https://github.com/vrtadmin/clamav-faq >> >> http://www.clamav.net/contact.html#ml >> > _______________________________________________ > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml